Skip to content
All posts

There is a need for an SBOM Exchange Platform

As technology continues to advance, the need for secure and reliable software becomes increasingly important. One important way to ensure the security and reliability of software is through the use of the Software Bill of Materials (SBOM).

An SBOM is a list of all the components that make up a piece of software, including open-source and third-party components. This list allows for better tracking and management of software components, which can help prevent security vulnerabilities and ensure compliance with licensing requirements. A central place for SBOMs is key to mitigating the risk of using the software.

Legislation mandating the use of SBOMs has been proposed in the United States, with the goal of improving software security and transparency. The proposed legislation would require software vendors to provide an SBOM for any software sold to the government, and would also encourage the use of SBOMs in the private sector. Furthermore, all entities doing business with the US federal government are required now to provide an SBOM with the software they deliver to the government. One way or another almost all larger companies in the U.S. do business with the federal government.

In addition to improving security, sharing SBOMs can also help organizations comply with regulatory requirements. Many industries, such as healthcare (HIPAA) and finance (PCI), are subject to strict regulations that require them to maintain detailed records of all software components used in their products. By sharing SBOMs with suppliers and customers, organizations can ensure that they are meeting these regulatory requirements and avoiding any potential legal or financial penalties.

The benefits of SBOMs are clear, and the need for legislation to mandate their use is becoming increasingly apparent. By analyzing the components and dependencies used in their software products, organizations can identify opportunities for optimization and cost savings.

 For example, they may be able to identify redundant or obsolete components that can be replaced with better and more secure alternatives. A centralized platform for SBOMs can provide the data and tools needed to perform these analyses, helping organizations make more informed decisions about their software products.

Almost every large organization buys applications, but also creates and shares applications with their counterparties. However, if organizations just manage their own SBOMs and don’t connect to an SBOM exchange, only limited value and insight can be gained. What’s needed is a centralized SBOM exchange so that large organizations can accept SBOMs, monitor them being updated when new software releases or patches are being delivered, and share the SBOMs of their own applications with external users. 

To monitor compliance with internal SBOM procedures, such a centralized exchange must connect to the purchasing department solutions (such as SAP Ariba and others). 

Finally, a centralized platform for SBOMs can also facilitate collaboration between different stakeholders in the software development process. That also includes tracking the software vendor's efforts in either fixing or explaining detected vulnerabilities.

By providing a single source of truth for the components and dependencies used in a software product, a centralized platform can help developers, security teams, and other stakeholders work together more effectively. This can lead to faster and more efficient software development processes, as well as improved security and compliance outcomes. Additionally to the transparency of used software components, it also enables an always up-to-date view of existing vulnerabilities and the overall software risk.

Overall, a centralized platform for SBOMs is essential for organizations that want to manage their software products more effectively and derive value from them.

At Codenotary we listened very carefully to our customers and started as the central place to check software source code repositories, container images, and existing SBOM files (CycloneDX) to detect the latest known vulnerabilities and produce a risk score by component and for the whole project.

That includes sharing of information between customers and vendors and creating risk reports without installing any software. can be used free of charge and without the need to install any external software or tools.